Hello,
Currently attacks occurs using a vulnerabiliy in a vulnerable FCKEditor version of filemanager, as shipped with some ColdFusion servers:
http://isc.sans.org/diary.html?storyid=6715
The vulnerability is about sending a PHP file (as test.php) BUT using a ZIP header as the beginning of the file to bypass the security check, and after put the PHP (or ASP, CFM) code in the file. In this case, the PHP (or ASP, CFM) is evaluated on the server.
This vulnerability is known since October 2008:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-6178
http://www.securityfocus.com/bid/31812/info
Unfortunately, as there is no security section on the FCKeditor Web site (sorry if i miss it, in this thanks for the URL), does anyone know if:
- Is this vulnerability fixed in recent FCKEditor versions ?
- Has a patch been distributed ?
- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?
Regards.
Fri, 07/03/2009 - 15:03
#1
Re: FCKEditor and current vulnerability exploited in the Wild
Please use the contact form to send us a message about discovered vulnerabilites.
Whenever security issues are fixed, they are mentioned here: http://www.fckeditor.net/whatsnew.
The problem is in the application that is distributed with FCKeditor with file browser being enabled by default. We can't do much with that.
If you download FCKeditor from our website, the file browser is disabled, you should read configuration file carefully and enable it only to authenticated users.
This is yet another example of vulnerability introduced in another application.
FCKeditor does not try to detect the mime type of a file, the extension check is based on the file name (extension).
Yes, open fckeditor\editor\filemanager\connectors\config.ext and make sure that enabled is set to true only for users that should have access to it.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: FCKEditor and current vulnerability exploited in the Wild
I was not speaking about a new discovered vulnerability (in this case of course i should have used a private contact form), but I was speaking about a known "exploited in the wild" vulnerability since several days : http://www.ocert.org/advisories/ocert-2009-007.html. I first try to find the keyword "security" or a CVE reference from http://www.fckeditor.net/whatsnew but I don't find it : Can you give me some help about this ?
it seems the new vulnerability will be fixed tomorrow (2.6.4.1 fix it).
If I understand well now you can do much with that, because the problem isn't about having enabled the file browser or not (of course no problem if you disable it), but it is about how the stuff is working.
I was wrong because I was trying to find the vulnerability currently used in attacks, which was the main goal of my first message. The one I was speaking about may be, as you said, a problem with an other product (as the Web server in this case) and not FCKEditor itself. Maybe you should send a message to well known security mailing lists to give your opinion, in order to cancel this vulnerability (currently this vulnerability exists everywhere in well known places.
Thank you for the tip, this is an interesting workaround waiting for the new FCKEditor version.
Re: FCKEditor and current vulnerability exploited in the Wild
Excuse me, but that's not a workaround.
That's a must if you want to keep control of your server.
If you allow anyone to upload files to your server, then you are just waiting for another exploit to happen and then you'll cry again at that time.
For an attack to succeed all the defenses must fail, so as long as we try to cover all the possible weak points we can be protected against a single exploit.
This is my personal opinion, and I'm not any kind of security expert:
1. Security by obscurity: if you place the FCKeditor in another folder, then you are avoiding any automated script that checks the root of the server for /fckeditor/. This is no security by itself, but it will take your server out of a massive attack that only looks at certain locations, it might give you some extra time if such an attack happens.
I repeat: this is only a step to delay slightly the attack against your server, it's not a real security measure.
2. Remove any unused files and scripts.
If you delete it, it can't be used by an attacker.
3. With regards to the file browser, you must verify that the connector is enabled only for those user that must have access to it. This same advice is available in all the config.ext files.
Failing to do so means that anyone can upload files to your server. It's not a big security risk by itself, but this is an open door that can be used together with some other attack.
4. Don't allow any kind of file to be uploaded. Be careful if you change the allowed and denied extensions
5. Restrict the ability to run scripts in the "userfiles" folder. Even if an attacker is able to somehow upload a script to your server, if he can't run it then it's worthless to him. As an example, this script for CKFinder tries to detect if the server is properly configured, and the last checks are to verify this point. Currently there's only the asp version, and as I said, it's only for CKFinder, not for the default FCKeditor file manager, but I don't have enough time to implement all the ideas, so expanding it to other targets it's not feasible for me.
In IIS you must change the permissions of the folder with the control panel (in a way similar to how you set the write permissions), it might depend on your ISP the exact interface.
For Apache you can use .htaccess if I'm not mistaken, I don't know about other servers, but it would be nice to have a common doc to explain how to restrict this ability.
6. Stay updated. Some of those linked advisories talked about products using FCKeditor 2.2 and 2.4. There are lots of changes between those versions and the latest one. Not so many about the file manager, but everynow and then there's a little adjustment there, some weak point that it's being protected and although it might not be marked as "warning, this is a huge security risk", it might be something that later is found that can be used to attack a system.
If you follow all these advices, it would be quite hard for a random attacker to succeed. I won't claim that anything is perfect but all the attacks against FCKeditor that I've read so far are against the file manager, and they start by failing to protect the third step. They leave the filemanager enabled for everyone because they don't know a minimum of server programing to protect them, so they just leave them enabled. (some people think that the filemanager\connectors\test.html and filemanager\connectors\uploadtest.html are security risk because they find that they allow to upload files without understanding that the only problem is how they have configured the connector)
Writing a login page is easy, relying only on security by obscurity, hoping that an attacker won't find your server is bound to fail.
Re: FCKEditor and current vulnerability exploited in the Wild
That being the case, does the security issue still exist if the file browser is enabled in config.ext yet LinkUpload, ImageUpload and FlashUpload are all disabled in fckconfig.js?
Thanks
Re: FCKEditor and current vulnerability exploited in the Wild
They will go directly against your connector, and if you have left it enabled for everyone, then you are running a high risk.